In June, Microsoft postponed the introduction of its controversial Recall feature following a series of serious security issues. The AI-powered tool, designed to capture all user activity over the previous six months, was positioned as a solution that helps users track their activities and efficiently find previously visited websites, documents and apps. Microsoft developed Recall to allow users to “retrace their steps” by capturing screen snapshots every five seconds. The tool saves these images, catalogs the viewed content using AI, and then offers it to the user through a search function.
For cyber investigators, Recall could be a transformative force in evidence collection and analysis, improving both the investigation process and its results. However, the noise around cybersecurity concerns is loud, and rightly so. The tool's ability to capture and duplicate data means that threat actors could expose and exploit sensitive information.
Global Head of Cyber Security Services, S-RM.
Transforming forensic science, although gaps remain
Security concerns aside, Recall has the potential to revolutionize forensic investigations in the event of cyber incidents. First, its searchable format can dramatically speed up investigations by eliminating the arduous and time-consuming task of processing large amounts of evidence.
When digital evidence is lost, whether by clearing browser history or deleting files, Recall's screenshot capability would step in to ensure it remains accessible. Equipped with Recall, investigators could also visually verify their results, leading to greater confidence in the veracity of forensic findings.
Despite its advantages, Recall has critical blind spots. Most significantly, the absence of an audit log makes access to Recall data by threat actors and users untraceable. Threat actors can also evade detection by using apps like Edge's InPrivate mode, which Recall cannot track, and by engaging in hidden activities on the user's screen or settings. Looking at Recall as a whole, the advantages speak for themselves, but there is no suggestion that it is the complete solution for researchers looking to stop threat actors in their tracks.
Unintentionally giving threat actors an advantage
Remember runs the inherent risk of exposing sensitive information that threat actors could exploit, which ultimately was the driving force behind Microsoft's decision to delay its release.
Following the news of the release of Microsoft Recall, security researchers developed and released a tool called TotalRecall, which can locate, duplicate and translate the data collected by the Recall function into a plain text database, which is instantly searchable . Since attackers routinely exploit existing tools and systems to achieve their goals, they are likely to add TotalRecall to their arsenal, exploiting its knowledge wherever possible.
Lastly, Recall would likely increase the risk of extortion. With access to snapshots of user activity and computer usage data, attackers will possess enough sensitive data to create a powerful incentive to pay a ransom. The likelihood that this data contains personal information that poses a threat to an employee's personal life, and even their safety, significantly increases the risks of exposure.
Meet regulatory requirements
If Recall works as designed, we must operate under the assumption that all data the user accessed over the last six months could potentially be leaked if it is compromised. The wide range of data collected by technology makes it difficult to accurately categorize sensitive or regulated information. Aside from the risk of threat actors exploiting this data, Microsoft faces the difficult task of ensuring compliance with regulatory standards and preventing serious breaches.
Address concerns, but the door remains open
In response to concerns about TotalRecall and its mirroring feature, Microsoft announced the implementation of two new security features. First, the company implemented just-in-time encryption on the database. While this encryption could potentially prevent the leak of databases containing sensitive information, cybersecurity experts have not yet confirmed its effectiveness.
Additionally, Microsoft introduced a requirement for users to re-authenticate through Microsoft Hello before accessing the Recover feature. However, if attackers manage to bypass additional layers of security, unauthorized access remains a real concern and sensitive data could still be compromised.
Microsoft has also emphasized that the Azure AI tool, which analyzes snapshots captured by Recall, processes the data locally in the device's AppData folder, ensuring that sensitive information is not sent to the cloud. While this might allay the concerns of some, there is concrete evidence that AI prompts are being manipulated to bypass security measures in other AI systems. Developers should remain alert to the possibility that threat actors could leverage these same prompts to gain unrestricted access to a device and the information it contains.
Microsoft's recognition of these concerns is promising; However, additional preventive security measures are required to protect users from attackers who are on the sidelines looking for ways to exploit new technologies for their malicious activities.
Suggestions for future use
Looking ahead, there are a number of preventative security measures to keep in mind for the tool that has not yet been released for future users. Following these guidelines should increase security safeguards.
After enabling Recall, users should be meticulous when configuring their settings, strategically deciding which apps and websites should not be under their purview. However, it is critical that users understand that not all apps and browsers support Recall privacy settings.
Users are also recommended to implement robust anti-malware tools or endpoint detection solutions that can alert them if there are suspicious attempts to access Recall data.
Finally, while it is not yet clear whether Recall offers the option to shorten the retention period of your database, implementing such an option would limit the amount of data and reduce the potential for attackers to exploit it.
Recall promises a transformative change in digital forensics, offering a powerful tool for evidence collection and analysis thanks to its ability to recover data that would otherwise be out of reach. However, before implementing it, Microsoft must address pressing security concerns and make user security the overall priority. We will need conclusive evidence that data exposure and the threat of extortion is eliminated before we can trust its functionality.
We list the best Active Directory documentation tool.
This article was produced as part of TechRadarPro's Expert Insights channel, where we feature the best and brightest minds in today's tech industry. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing, find out more here:
